Mike Meredith

Sep 122015
 

According to the latest advice from CESG: "Regular password changing harms rather than improves security, so avoid placing this burden on users."

Wrong!

(Thanks to xkcd.com).

Most of the advice given is eminently sensible, and indeed forcing password changes on a frequent basis does more harm than good – when forced to change their passwords every 30 days (yes really!), people will commonly resort to sanity and use passwords of the form: someword-${month} (such as "happy-July"). However the advice to never force password changes was obviously written by someone who is under the belief that staff accounts have a somewhat limited lifetime – people change jobs, etc.

There is still a great deal to be said for changing passwords less frequently – say every couple of years. Or even a random number of days between 730 and 1,095, which will help to randomise calls to the Helpdesk. Amongst other things :-

  1. The concept of a strong password changes over the decades; allowing account passwords to remain the same for the lifetime of a staff account will mean that a considerable number of staff accounts will have weak passwords.
  2. There is such a thing as "accidental shoulder surfing" whereby someone acquires knowledge of part of your password by merely being present when you enter it. Over time they can acquire more and more of your password. 
  3. Only changing an account password when there is a suspicion it has become compromised means that there is no mechanism to lock stealthy intruders out. Whatever kind of anomolous account behaviour detection mechanism you have in place, there is always the chance that a compromised account can remain below the radar; periodic password changes do lock this intruder out.
  4. Less directly, but forcing regular account password changes on an infrequent basis does have the side effect that it allows the education of people that passwords can be compromised.

Of course every security person who read the CESG advice on passwords probably thought "Great. Now who is going to educate the auditors?". 

Sep 082015
 

The big story of the day is the news that a UK drone strike took out an ISIS terrorist in Syria; one who used to be a UK citizen. After all, ISIS claims to be a nation state and so their "fighters" (actually terrorists) could be said to have given up their previous citizenship.

Arguing about whether it was justified is completely pointless without access to all of the relevant information which we won't get. It would be a very good idea for someone sensible (i.e. not a sleezy politician) outside of the intelligence community to review that secret information and to be the one authorising such activities.

But is a drone strike self-defence? It may well be under military terminology or even under international law.

In terms of ordinary understanding of self-defence, it is not – in terms of someone assaulting you, it is self-defence to break someone's arm as they are striking you; it is not self-defence to break their arm because they have promised to assault you tomorrow.As ordinary people understand the term, a drone strike is not self-defence.

It might be somewhat less contraversial to call a spade a spade and term this attack a "pre-emptive defence againt an imminent mass terrorist act" (or whatever phrase would fit the facts). On the face of it, using a drone strike to kill two terrorists only who are about to launch a terrorist attack, is the least-worst action. 

That does not justify so-called "collateral damage" (in honest spade terms, that would be the indiscriminate murder of innocent civilians), and anyone who authorises drone strikes that results in murder should be prosecuted.

Sep 032015
 

The news has been filled for a few weeks now with stories about "immigrants" making their way into Europe through various routes – across the sea to the Greek islands, and across land through Hungary. Of course technically they are all travellers until they stop moving and set up home (at which point they are immigrants unless they stopped moving before they left their home country.

It turns out that most of the travellers are from Syria or from Afghanistan which makes them refugees.

This is a special category of migrant, and such migrants have the right under international law to seek and enjoy asylum.

child_sea4

Anyone trying to limit that right of asylum is almost certainly a criminal under international law, and morally bankrupt to boot. Those thinking that we can't take any more should take a long hard look at that dead child above; you are as responsible for that death just as much as if you beat that child to death personally.

There is no refugee crisis except in the sense that the refugees are not being treated properly. The fact that Europe was going to see an increase in the number of refugees was entirely predictable given the situation in Syria; particularly given that Turkey is hosting 1.7 million refugees. If anything there has been a crisis of political leadershiop amongst European politicians, and a failure to take a strong moral position. With a handful of exceptions.

The UK government is busy playing osterich games by pretending that by dealing with the Syrian crisis in Syria will make all the refugees disappear. Yes the ultimate solution is to sort out the situation in Syria, but in the meantime there are refugees dying. 

The EU needs to start funding the cost of dealing with refugees so that the countries least able to afford to don't have to pay a disproportionate amount (i.e. Greece).

The EU needs to set up safe, secure, and comfortable refugee centres where refugees can be accommodated, assessed, and then allocated a new country to go to.

The EU needs to allocate refugees out amongst all of the countries of the EU on a fair basis, and need to shame the reluctant into accepting their fair share.

And we all need to slap down those who oppose treating the refugees properly.

 

Aug 272015
 

So there has been another senseless killing in the USA, and the world has reacted by asking Americans to "Please stop killing each other". If you read this blog religiously, you will probably recall previous occasions when I have mentioned gun control (and related issues), but bear with me. One slightly tacky thing to point out is that this senseless killing onl made the news because it was shown on live TV – senseless killings in the USA are so common (I could probably link to hundreds of similar articles) that this would not ordinarily be newsworthy.

The gun control fans have of course emphasised that the USA needs proper gun control, and I'm not going to disagree. 

Any society as sick in terms of violence as the USA needs strong gun control because it's citizens cannot be trusted not to run amok.

Those who want to hang onto their guns need to come up with a solution to the problem of violence in the USA and they need to stop parroting ridiculous excuses for why guns should not be controlled.